How to setup multiple authorization nodes (keystone HA)?

I am in charge of supplying a service utilizing swift, keystone, and a custom front end that needs to have High-Availability and security as its main function. This is my first development project of any kind so I may be missing some glaringly obvious things. I want to build a setup that spans 4 geographical locations, that will scale from there if need be. So far my plan is two of the nodes will include object storage and the other two nodes will supply authorization, identity v3, ssl termination, and load balancing services. I understand how to implement storage and proxy services, and I have all the goodies for a high-availability storage cluster; however, it is the load balancing and identity that I am stuck at. My questions are:

is there a built in function for keystone to sync between two nodes? I have failed to find it anywhere

is it even safe for me to terminate ssl at the auth node considering they will be colocated in different geographical regions?

is there a better solution that does not leave me with an authorization bottleneck?

1 answer

We setup HA Keystone, however by default it isn't using SSL. You may want to use a load balancer that is able to apply SSL to your endpoint. You aren't really worried about keeping them all in sync as you are going to either have a MySQL back-end or you could use LDAP.

The harder configuration is going to be setting up MySQL HA that is available in each location so that you don't have tons of latency between user auths.

I would look into using geographic based DNS to send someone to the closest endpoint.